Original URL: http://www.theregister.co.uk/2012/01/11/t_mobile_security/

T-Mobile 'fesses up to secure email ban gaffe

Wild spam-hunting robots killed off SMTP connections

By Bill Ray

Posted in Mobile, 11th January 2012 13:59 GMT

T-Mobile was caught blocking the secure transmission of emails earlier this month, and VPNs too, but the operator claims the former was a mistake while the latter is a legacy from a bygone era.

The problem turned up around the end of December when some punters found T-Mobile was responding to all encrypted SMTP connections, other than to its own servers, with a reset (RST) packet. That was then compounded into conspiracy when Mike Cardwell realised his Virtual Private Network connections weren't being let though either, which turns out to be an unrelated and unfixed issue.

T-Mobile employs a variety of techniques to make sending spam over its network difficult, including blocking connections made to arbitrary SMTP mail servers. Secure connections, which are then generally authenticated with a name and password, are permitted as they're useless to spammers, but for a week or two T-Mobile's network was rejecting secure connections as well as the insecure ones.

Before the age of spam one could connect to any mail server, anywhere, and ask it to relay messages, but these days servers won't accept mail unless it's addressed to someone it's responsible for, or comes from a trusted connection (so you can send mail through your own ISP's server addressed to the rest of the world). But a spammer can still connect to the mail server at, say, AOL, and send thousands of messages to AOL accounts, and if they did that from a pre-paid mobile number then they're effectively untraceable.

AOL's server may decide not to forward those messages, and may reject the connection as suspicious, but that's beside the point.

These days most mail servers allow account holders to connect remotely and send mail, therefore relieving them of the need to run a local server, but that means sending the account name and password which should only be done over a secure connection, and it's those connections that T-Mobile was erroneously blocking.

When it comes to VPNs things are slightly more complicated. T-Mobile used to sell connections which did not permit the use of a VPN, and customers on those contracts will still find their VPN use blocked. These days the operator tells us that all its mobile broadband offerings permit VPN connections, though that right may be withdrawn from a customer who abuses the fair-use policy.

So, on T-Mobile's network, secure SMTP should work, and for most people VPNs should work too, but a failing VPN is probably down to an old contract. So give T-Mobile a bell and ask before you start breaking down the packets or accusing anyone of turning Blighty into communist China. ®